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Information Commissioner's Office 


The Information Commissioner’s Office (1 CO) response to the Maritime & 
Coastguard Agency’s consultation on The Merchant Shipping (Counting 
and Registration of Persons on Board Passenger Ships) (Amendment) 

Regulations 2020 


About the ICO 


The Information Commissioner has responsibility in the UK for promoting and 
enforcing the General Data Protection Regulation (GDPR), the Data Protection Act 
2018 (DPA 2018), the Freedom of Information Act 2000, the Environmental 
Information Regulations 2004 and the Privacy and Electronic Communications 
Regulations 2003 (PECR), amongst others. 


The Commissioner is independent from government and upholds information 
rights in the public interest, promoting openness by public bodies and data 
privacy for individuals. The Commissioner does this by providing guidance to 
individuals and organisations and taking appropriate action where the law is 
broken. 


Introduction 


The ICO welcomes the opportunity to respond to this Maritime & Coastguard 
Agency (MCA) consultation. Whilst the consultation is largely concerned with the 
costs of compliance to operators in addition to the impact of reducing the 
reporting time from 30 minutes to 15 minutes, this response focuses on the data 
protection considerations. 


The ICO recognises the benefit of optimising the reporting of passenger data in 
order to reduce the risk to those passengers onboard vessels involved in an 
incident requiring assistance from Search and Rescue authorities. The ICO 
welcomes the clarity of section 2.11 of the consultation, which notes that 
personal data held in relation to these Regulations must “strictly adhere to 
current data protection regulations” and that this will be incorporated into the 
draft statutory instrument. 


Legislative Consultation 


A36(4) of the GDPR imposes a requirement on UK Government to consult with 
the UK’s Data Protection Authority (the ICO) when developing policy proposals 
relating to the processing of personal data. This requirement covers all relevant 
policy proposals for legislation adopted by a national parliament, including: 

e primary and secondary legislation 
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e regulatory measures (such as directions and orders) made under primary 
or secondary legislation 
e statutory codes of practice and 
e statutory guidance 
Further information on the application of Article 36(4) can be found here. 


Data minimisation 


Article 5(1)(c) of the GDPR stipulates that the personal data processed should be 
“adequate, relevant and limited to what is necessary in relation to the purposes 
for which they are processed.” Therefore, it is important that the data required, 
as set out in section 2.7 of the consultation, is the minimum amount of personal 
data needed to fulfil the purpose it is required for. The ICO has produced 
guidance on ensuring compliance with this data minimisation principle that may 
be of use. 


Security of data 


Section 2.8 of the consultation notes that one of the main changes to the 
Regulations is the method by which personal data is shared. Article 5(1)(f) of the 
GDPR concerns the ‘integrity and confidentiality’ of personal data and notes that 
personal data should be processed in a manner that ensures appropriate security 
of said data, including protection against unauthorised or unlawful processing 
and against accidental loss, destruction or damage, using appropriate technical 
or organisational measures. 


This principle needs to be considered alongside Article 32 of the GDPR, which 
specifies that in relation to the security of personal data, organisations should 
take into account the state of the art, the costs of implementation and the 
nature, scope, context and purposes of processing as well as the risk of varying 
likelihood and severity for the rights and freedoms of natural persons. 


Passenger ship operators therefore need to implement appropriate technical and 
organisational measures to ensure a level of security appropriate to the risk of 
using systems such as the National Single Window (NSW) or ships’ Automatic 
Identification System (AIS). In particular, when processing personal data which 
passengers volunteer concerning any need they have for special care or 
assistance in emergency situations, organisations must make sure they treat 
these passengers fairly. As some of this information may constitute special 
category data, stronger safeguards may need to be in place. 


The ICO has developed guidance on how organisations can comply with the 
security principle of the GDPR and what considerations they need to take. 
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1CO’s Data Sharing Code of Practice 


The data protection legislation obliges the Information Commissioner to produce 
a statutory Code of Practice on data sharing. The code is currently being finalised 
following public consultation. When completed, it will be submitted to the 
Secretary of State and then laid before Parliament. Organisations involved in 
processing passenger details and sharing these through the National Single 
Window (NSW) or ships’ Automatic Identification Systems (AIS) will need to take 
the Code into account when sharing personal data. 


Adhering to the code will help to ensure good practice around data sharing and 
help to manage risks associated with sharing information, including the parties’ 
approach to matters such as security. Following the code and adopting its 
practical recommendations will help to give passenger ship operators confidence 
to collect and share personal data in a way that is fair, transparent and in line 
with the rights and expectations of the passengers whose information is being 
shared. 


Data retention 


Article 5(1)(e) of the GDPR specifies that data must not be retained for longer 
than necessary in relation to the purpose for which it is processed. Section 2.11 
of the consultation notes that the statutory instrument will include the 
requirement that “passenger information held on record is erased without undue 
delay” and at the latest once each voyage has concluded. The ICO notes that 
section 7(c) of the draft Regulation reflects this. 


Ensuring that personal data is erased or anonymised when it is no longer needed 
reduces the risk that it becomes irrelevant, excessive, inaccurate or out of date. 
This also reduces the risk that controllers will use such data in error. 

Those operating passenger ships should ensure the system they use facilitates 
the erasure of data when required and that passengers are informed of the 
retention policy. 


Transparency information for data subjects 


The requirement to provide privacy information to individuals in relation to how 
their personal data will be processed is a fundamental right under the data 
protection legislation. Articles 13 and 14 of the GDPR specify what individuals 
have the right to be informed about in relation to the processing of their personal 
data. 
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This is an obligation that passenger ship operators will need to comply with to 
ensure that passengers are provided with clear and comprehensive information 
about how their personal data will be processed including what personal data will 
be collected, the purpose of the processing, how long it will be processed for (as 
noted in the data retention section above), and who it will be shared with. 
Further, data should not be processed in a way which data subjects would not 
reasonably expect. 


It is often most effective to provide privacy information using a combination of 
techniques, including layering and dashboards. Careful consideration should be 
taken by passenger ship operators regarding what format is the most appropriate 
under the circumstances. 


Privacy information must be regularly reviewed to ensure that any new use of an 
individual’s personal data is brought to that individual’s attention before the 
processing begins. The Information Commissioner has published guidance on 
privacy information that provides further information on this requirement. 
Conclusions 

We hope the above comments are useful to the MCA in taking forward the 
proposed policy changes. The ICO is happy to provide further input on these 
matters and we await formal consultation under Article 36(4) of the GDPR in 
respect of the legislative proposals outlined. 

The Information Commissioner’s Office 


November 2020 
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